Disclosure of information

Over the past few days I have received a number of emails in relation to a password reset from our JIRA installation. Initially the emails where in relation to a password reset for the admin account but then they were in relation to my own account which was worrying. We have noticed that my username has then been used to perform a brute force attack on various other web applications that we host.

I have discovered that the hacker requested the following URL: /jira/secure/IssueNavigator!executeAdvanced.jspa which results in an issue navigator screen with no information however when the manage option is selected it shows a list of user created filters and this shows the Owner's name and username.

Can this disclosure of information be prevented?

Are there other pages which users can access without being logged in and could potentially disclose information?

2 answers

If you have not done so, please contact support. There are security related tools that can access to pages, but they are only as good as the person designing the test cases.

Here is an url what Atlassian does when security vulnerbilities are found.

https://confluence.atlassian.com/display/JIRA/Security+Advisories

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted yesterday in Jira Service Desk

Looking for anyone who has switched from Zendesk to Jira Service Desk

Hi Community! The Jira Service Desk marketing team is looking for customers who have successfully switched from Zendesk to Jira Service Desk!   We’d love to hear your thoughts on the pros and ...

21 views 0 1
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you